Hendon Publishing - Article Archive Details

We are living in truly exponential times. For example, there are 31 billion searches on Google every month, and in 2006, this number was 2.7 billion. The first commercial text message was sent in December 1992. Today the number of text messages sent and received every day, exceeds the total population of the planet. The number of Internet devices in 1984 was around 1,000. The number of Internet devices in 1992 was around 1 million. The amount of Internet devices in 2008 is around 1 billion.

Think about where we came from: floppy drives, to USB drives, to micro SD cards in our PDAs. I actually watched a full-length movie on a Blackberry Bold that was loaded on a micro SD card. Now that’s impressive! As law enforcement tries to keep up with this quest for more technology, faster speeds and smaller devices, we often overlook some of the associated risks that accompany these advancements. In North America, many law enforcement agencies are now looking to refresh their aging in-vehicle laptops to newer models. In legacy hardware applications, the backup for many agencies was a floppy drive on the laptop. But new hardware doesn’t include floppy drives; they have all upgraded to SD cards or USB drives.

One of those risks has been defined by experts in the field as “endpoint security.” Endpoints can be almost anything—USB drives, iPods, CDs, DVDs, laptop computers, PDAs, Blackberrys, even digital cameras with SD cards. They are all ticking time bombs, and they are all keeping information technology security folks from having any restful sleep at night. Billions of dollars have been spent making sure brilliant hackers can’t attack computers from across the world. But many of us forgotten one big loophole: firewalls generally don’t stop anyone from attaching a USB thumb drive to a computer and stealing gigabyte’s worth of confidential information from a company or government agency.

A few years ago, a hospital in the United States lost one of those tiny USB drives, and it exposed thousands of patients to identity theft. The drive contained personal information on about 120,000 past and present patients. This data, in the wrong hands, could have easily led to identity theft. Even the U.S. military has lost control of a series of similar tiny thumb drives, obviously with the potential for far more serious consequences. In Canada, the loss of secure medical records has been reported by media outlets with little or no repercussions for those agencies responsible.

That’s not to say that anyone did this on purpose. Someone probably was trying to be diligent and back up his files, and the data probably landed on those drives through normal, but careless, daily operations. Remember the days before networks, when you would share a file with a friend by copying it onto a floppy disk, jogging across the room, and placing it into the second computer? It’s called a “sneakernet,” and sneakernets are back.

According to the Wikipedia definition, sneakernet is a tongue-in-cheek term used to describe the transfer of electronic information, especially computer files, by physically carrying removable media such as magnetic tape, floppy disks, compact discs, USB flash drives or external hard drives from one computer to another. Sneaker refers to the shoes of the person carrying the media. This is usually in lieu of transferring the information over a computer network.

It’s a real issue with thumb drives. They are so easy to use, quick and so small, people often use them to transport files around the office or to take work home. It’s just too easy to move data around without the required chain of custody that’s required for data integrity. Most frequently, the vast majority of sloppy endpoint practices are the result of employees who are frustrated by snags in their normal work environment and are just trying to get things done quickly. A network acts up, or some encryption program gets bogged down, so a worker just goes for the easiest solution.

At first glance, it’s their convenient size that is also their undoing. USB thumb drives are easy to steal and easy to forget about. According to several privacy experts, many companies don’t even know how many thumb drives they have in the building. And because they are so cheap, employees bring in their own. So when a drive full of critical data is stolen, often, no one knows. Think about your own agency. Does anyone know how many USB drives are out there being used with your agency’s data on them?

The reality is that this has caught the majority unprepared. Most agencies were, and still are, focusing on centralized data, purchasing firewalls, intrusion detection systems. But we were forgetting about sneakernets, which, at the end of day may become the next wave of security nightmares. Those tiny storage devices can render all of those millions of dollars spent on centralized network security obsolete.

There are other key factors that contribute to a broken system. The biggest factor is that companies, organizations and law enforcement agencies have often ignored the delete key. Most are now very much in the habit of copying and keeping data around just for the heck of it. There are countless examples of personal information lost when a laptop disappears. In many of those stories, the data lost had no business being on that laptop.

Freedom of Information legislation in the USA and Canada sometimes regulates specific government agencies on what and how long they can keep data on their servers. But there is rarely an expiration date on any of this data unless purge schedules are strictly adhered to. So the data just hangs around, waiting to be stolen. It’s not uncommon to hear about lost laptops with stolen data dating back to the 1990s. This is another reason to ensure that law enforcement agencies with mobile computing solutions have been diligent in providing secure vehicle docking stations that are not easily removed by criminals in search of data.

The use of consumer-grade laptops mounted in poorly constructed or installed vehicle docking stations makes your agency a target for organized criminals looking for access to police records. Docking stations should be locked with non-generic (keyed alike) keys so the loss of one key jeopardizes your entire fleet. The docks themselves should be secured to the vehicle’s base plate with specialized security bolts machined with unique tool patterns that allow for only a special tool to remove them. It is the same idea as the commonly used vehicle special wheel nut lock kits that have a single special key unique to that particular nut lock set.

The situation is very serious but hardly hopeless. There are several technologies that make endpoints much safer. Laptops can be loaded with software that “phones home” when an unauthorized user connects it to the Internet. Many advanced thumb drives offer encryption tools for just a few dollars more. There are generally two views on how to make your agency safe—a software solution or a hardware solution. Both are good, and both have excellent methods to lock down your endpoint security concerns. Ultimately, each agency will have to review its options and evaluate which solution works best for its unique business process deployment.

SanDisk has a nifty product with a small hardware attachment that requires thumbprints before data can be accessed. Sandisk Cruzer® Enterprise FIPS Edition Centennial with FIPS 140-2 Level 2 certification for encryption.

The Cruzer Enterprise FIPS Edition caters to the ultra-sensitive security requirements of government agencies and financial institutions. Rather than rely upon users to secure files, SanDisk Cruzer Enterprise FIPS Edition imposes mandatory access control on all files. The files are stored in a secure partition that implements the strongest 256-bit hardware-based AES encryption.

Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor FIPS 140-2 are U.S. government standards that provide a benchmark for implementing cryptographic software. They specify best practices for implementing crypto algorithms, handling key material and data buffers, and working with the operating system. Evaluation is administered by the Cryptographic Module Validation (CMV) Program of the National Institute of Standards and Technology’s (NIST) in the United States and the Communications Security Establishment (CSE) in Canada. The CMV program was established in July of 1995. All of the tests under the CMV program are handled by third party accredited laboratories. When choosing data security or cryptography-related products, agencies in U.S. and Canadian federal governments should refer to the FIPS 140-1 and FIPS 140-2 validation list. (http://csrc.nist.gov/cryptval)

Centennial Software offers software called DeviceWall that stops data from ever being released out of the USB port unless a security manager approves it and only allows the data to be read off the USB device by approved computers. DeviceWall improves network security by locking down the unauthorized use of removable media devices, such as USB sticks, MP3 players, PDAs and even CDs.

Lumension Security has a couple of very effective offerings that are extremely effective in securing data. Lumension looks at the issue from two distinct modes of software control. First, decentralized, meaning the security key resides on the USB drive or other storage device. Secondly, centralized, which means the security key never exists on the USB or device, it always resides on the authorized laptop or desktop that receives the data. The encryption is, of course, FIPS 140-2 Level 2.

Lumension’s Sanctuary Application Control® and Sanctuary Device Control® provides endpoint security through the use of a proactive approach that enables only authorized applications to run and only authorized devices to connect to a server, terminal services server, thin client, laptop or desktop—facilitating security and systems management, while providing necessary flexibility to the organization to easily enable the use of new / upgraded applications or devices.

Sanctuary provides the necessary controls to secure endpoints from unknown software, malicious code, and unauthorized applications, as well as to manage and secure inbound and outbound data flow from endpoints. It does this by putting a low level lock on the operating system (OS). This is even better then a typical administrator lock-down of the device because even if malware somehow gets in, the Sanctuary Application doesn’t allow it to execute. Admin Lockdown is a defendable layer that sits on top of the Windows OS lockdown, which stops attempts to defeat the OS admin lock down at a code or binary level.

This is much different than the usual virus protection software that needs a virus list to be constantly updated to ensure it will recognize the attacking program. Sanctuary doesn’t need to know if it’s bad or good; it simply doesn’t let it run unless it’s approved to run, period.

Lumension’s endpoint security solution ensures the confidentiality and integrity of sensitive data by enforcing encryption when copied to removable media. Sanctuary also can show the effectiveness or ineffectiveness of an organization’s endpoint security policy, by providing detailed audit information that shows successful and unsuccessful attempts to connect a device or execute an application on a protected endpoint. This is very important in a world where hackers can produce malware that is designed to sit dormant on a device until it is plugged in. Then the malware executes, and it’s too late to stop the damage.

Ask yourself this: What is the type of USB drive? What is going onto the USB drive? What is coming off the USB drive?

Complete endpoint security is achieved with Lumension’s Sanctuary by enforcing endpoint security policies that prevent known and unknown threats from executing, such as malware, viruses, spyware and zero-day threats. Controlling and monitoring the flow of inbound and outbound data, then safeguarding the confidentiality, integrity and availability of sensitive that data on desktops. It protects against network and desktop security breaches where confidential data could be exposed to fraud. Then it provides a detailed audit trail of all device and application execution attempts by tracking data that is copied to and from removable devices and by controlling what data is allowed to be copied to a device at the file level.

Thanks to the plummeting prices of data storage, it’s become common practice for organizations to simply keep every bit of data they ever gather. Storing it is cheaper than taking the time to occasionally clean it up. Warehousing data for the heck of it may be human nature, but it’s still no excuse. Clearly, companies and government agencies need to implement high-end solutions to keep data safe. But while they are thrashing about trying to select the highest technologies, some low-tech troubleshooting needs to be done immediately. Thumb drive encryption should be standard policy.

From a hardware perspective, one of the biggest names in thumb drive encryption is IronKey. The company provides multiple levels of USB thumb drives for agencies all of them FIPS 140-2 Level 2 validated secure hardware encrypted USB flash drives, thumb drives, and pen drives.

IronKey has three service levels: Basic, Personal, and Enterprise. With Personal, users get use of the private TOR network free for one year and a small fee per year thereafter. With Enterprise, administrators get extra control over devices and a more sophisticated certificate infrastructure.

IronKey is scooping awards across the globe. This year, IronKey was named 2008 Mobile Star Awards™ Gold Winner in the Hardware: Portable Storage Category. As far as security USB devices go, this device is superb. It is straightforward and simple to use; the IronKey is a winner.

Designed as the world’s most secure USB flash drive, home users can choose from two options. The basic IronKey is what it says it is: a secure USB stick that benefits from the same degree of hardware encryption as the other products in the range. The second, and most popular option, is the IronKey Personal. Its secure sessions that keep you safe and “anonymous” while you are online are impressive. This is perfect for personal banking or logging into company Internet sites. The Corporate Package is accommodated with the IronKey Enterprise. It is a premium service, launched in April 2008 in the U.S., and is for those who wish to take their security to the next level. As a managed service, it permits full control of a collection of devices from a central unit or location. All the IronKey products are easy to use and very secure.

Of course, the best possible protection solution would be a combination of software and hardware that stringently requires the end user to adhere with the agency’s policies regarding information dissemination and protection. The data and information that is collected on a daily basis requires strict protection. It is encouraging to hear that many levels of government, especially law enforcement are looking at solutions to keep data and information safe. These efforts should be applauded and we hope will lead to fewer stories in the media of embarrassing data protection infringements by the loss of protected data.

In today’s world of ever-changing technology, companies, organizations, government agencies, and especially law enforcement should be conducting endpoint security audits, reviewing the results, and determining a course of action that will protect them from any loss of data or attack on their systems.

Brad Brewer is a sergeant with the Vancouver Police Department. He can be reached at brad.brewer@vpd.ca.